honeymoose/angular-cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular-cn/packages/core/test/sanitization/sanitization_spec.ts

147 lines
7.4 KiB
TypeScript
Raw Normal View History

feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
/**
* @license
build: update license headers to reference Google LLC (#37205) Update the license headers throughout the repository to reference Google LLC rather than Google Inc, for the required license headers. PR Close #37205
2020-05-19 12:08:49 -07:00
* Copyright Google LLC All Rights Reserved.
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.io/license
*/
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
import {SECURITY_SCHEMA} from '@angular/compiler/src/schema/dom_security_schema';
refactor(ivy): Intruduce LFrame to store global instruction information (#33178) `LFrame` stores information specifice to the current `LView` As the code enters and leaves `LView`s we use `enterView()` and `leaveView()` respectively to build a a stack of `LFrame`s. This allows us to easily restore the previous `LView` instruction state. PR Close #33178
2019-10-14 13:59:17 -07:00
import {LView} from '@angular/core/src/render3/interfaces/view';
import {enterView, leaveView} from '@angular/core/src/render3/state';
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
feat(ivy): bridge compile instructions to include sanitization helpers (#24938) PR Close #24938
2018-07-11 10:58:18 -07:00
import {bypassSanitizationTrustHtml, bypassSanitizationTrustResourceUrl, bypassSanitizationTrustScript, bypassSanitizationTrustStyle, bypassSanitizationTrustUrl} from '../../src/sanitization/bypass';
refactor(core): express trusted constants with tagged template literals (#40082) The trustConstantHtml and trustConstantResourceUrl functions are only meant to be passed constant strings extracted from Angular application templates, as passing other strings or variables could introduce XSS vulnerabilities. To better protect these APIs, turn them into template tags. This makes it possible to assert that the associated template literals do not contain any interpolation, and thus must be constant. Also add tests for the change to prevent regression. PR Close #40082
2020-11-30 16:49:39 +00:00
import {getUrlSanitizer, ɵɵsanitizeHtml, ɵɵsanitizeResourceUrl, ɵɵsanitizeScript, ɵɵsanitizeStyle, ɵɵsanitizeUrl, ɵɵsanitizeUrlOrResourceUrl, ɵɵtrustConstantHtml, ɵɵtrustConstantResourceUrl} from '../../src/sanitization/sanitization';
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
import {SecurityContext} from '../../src/sanitization/security';
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
refactor(ivy): LContainer now stored in LView[PARENT] (#28382) - Removes CONTAINER_INDEX - LView[PARENT] now contains LContainer when necessary - Removes now unused arguments to methods after refactor PR Close #28382
2019-01-28 14:45:31 -08:00
function fakeLView(): LView {
refactor(ivy): simplify differentiation of LView, `RNode`, `LView`, `LContainer`, `StylingContext` (#28947) For efficiency reasons we often put several different data types (`RNode`, `LView`, `LContainer`, `StylingContext`) in same location in `LView`. This is because we don't want to pre-allocate space for it because the storage is sparse. This file contains utilities for dealing with such data types. How do we know what is stored at a given location in `LView`. - `Array.isArray(value) === false` => `RNode` (The normal storage value) - `Array.isArray(value) === true` => than the `value[0]` represents the wrapped value. - `typeof value[TYPE] === 'object'` => `LView` - This happens when we have a component at a given location - `typeof value[TYPE] === 'number'` => `StylingContext` - This happens when we have style/class binding at a given location. - `typeof value[TYPE] === true` => `LContainer` - This happens when we have `LContainer` binding at a given location. NOTE: it is assumed that `Array.isArray` and `typeof` operations are very efficient. PR Close #28947
2019-02-23 11:14:35 -08:00
return [null, {}] as LView;
refactor(ivy): LContainer now stored in LView[PARENT] (#28382) - Removes CONTAINER_INDEX - LView[PARENT] now contains LContainer when necessary - Removes now unused arguments to methods after refactor PR Close #28382
2019-01-28 14:45:31 -08:00
}
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
describe('sanitization', () => {
refactor(core): Ensure that `previousOrParentTNode` always belongs to current `TView`. (#38707) `previousOrParentTNode` stores current `TNode`. Due to inconsistent implementation the value stored would sometimes belong to the current `TView` and sometimes to the parent. We have extra logic which accounts for it. A better solution is to just ensure that `previousOrParentTNode` always belongs to current `TNode`. This simplifies the mental model and cleans up some code. PR Close #38707
2020-09-03 22:46:11 -07:00
beforeEach(() => enterView(fakeLView()));
refactor(ivy): Intruduce LFrame to store global instruction information (#33178) `LFrame` stores information specifice to the current `LView` As the code enters and leaves `LView`s we use `enterView()` and `leaveView()` respectively to build a a stack of `LFrame`s. This allows us to easily restore the previous `LView` instruction state. PR Close #33178
2019-10-14 13:59:17 -07:00
afterEach(() => leaveView());
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
class Wrap {
constructor(private value: string) {}
build: reformat repo to new clang@1.4.0 (#36613) PR Close #36613
2020-04-13 16:40:21 -07:00
toString() {
return this.value;
}
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
it('should sanitize html', () => {
refactor(core): make HTML sanitizer return TrustedHTML (#39218) Make Angular's HTML sanitizer return a TrustedHTML, as its output is trusted not to cause XSS vulnerabilities when used in a context where a browser may parse and evaluate HTML. Also update tests to reflect the new behaviour. PR Close #39218
2020-10-10 00:27:29 +00:00
expect(ɵɵsanitizeHtml('<div></div>').toString()).toEqual('<div></div>');
expect(ɵɵsanitizeHtml(new Wrap('<div></div>')).toString()).toEqual('<div></div>');
expect(ɵɵsanitizeHtml('<img src="javascript:true">').toString())
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
.toEqual('<img src="unsafe:javascript:true">');
refactor(core): make HTML sanitizer return TrustedHTML (#39218) Make Angular's HTML sanitizer return a TrustedHTML, as its output is trusted not to cause XSS vulnerabilities when used in a context where a browser may parse and evaluate HTML. Also update tests to reflect the new behaviour. PR Close #39218
2020-10-10 00:27:29 +00:00
expect(ɵɵsanitizeHtml(new Wrap('<img src="javascript:true">')).toString())
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
.toEqual('<img src="unsafe:javascript:true">');
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
expect(() => ɵɵsanitizeHtml(bypassSanitizationTrustUrl('<img src="javascript:true">')))
.toThrowError(/Required a safe HTML, got a URL/);
fix(core): convert legacy-sanitized values to Trusted Types (#39218) Use the bypass-specific Trusted Types policy for automatically upgrade any values from custom sanitizers or the bypassSecurityTrust functions to a Trusted Type. Update tests to reflect the new behavior. PR Close #39218
2020-10-10 02:16:12 +00:00
expect(ɵɵsanitizeHtml(bypassSanitizationTrustHtml('<img src="javascript:true">')).toString())
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
.toEqual('<img src="javascript:true">');
});
it('should sanitize url', () => {
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrl('http://server')).toEqual('http://server');
expect(ɵɵsanitizeUrl(new Wrap('http://server'))).toEqual('http://server');
expect(ɵɵsanitizeUrl('javascript:true')).toEqual('unsafe:javascript:true');
expect(ɵɵsanitizeUrl(new Wrap('javascript:true'))).toEqual('unsafe:javascript:true');
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
expect(() => ɵɵsanitizeUrl(bypassSanitizationTrustHtml('javascript:true')))
.toThrowError(/Required a safe URL, got a HTML/);
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrl(bypassSanitizationTrustUrl('javascript:true'))).toEqual('javascript:true');
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
});
it('should sanitize resourceUrl', () => {
docs: update links to use HTTPS as protocol (#39718) PR Close #39718
2020-11-16 22:37:09 +01:00
const ERROR = 'unsafe value used in a resource URL context (see https://g.co/ng/security#xss)';
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(() => ɵɵsanitizeResourceUrl('http://server')).toThrowError(ERROR);
expect(() => ɵɵsanitizeResourceUrl('javascript:true')).toThrowError(ERROR);
expect(() => ɵɵsanitizeResourceUrl(bypassSanitizationTrustHtml('javascript:true')))
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
.toThrowError(/Required a safe ResourceURL, got a HTML/);
fix(core): convert legacy-sanitized values to Trusted Types (#39218) Use the bypass-specific Trusted Types policy for automatically upgrade any values from custom sanitizers or the bypassSecurityTrust functions to a Trusted Type. Update tests to reflect the new behavior. PR Close #39218
2020-10-10 02:16:12 +00:00
expect(ɵɵsanitizeResourceUrl(bypassSanitizationTrustResourceUrl('javascript:true')).toString())
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
.toEqual('javascript:true');
});
it('should sanitize style', () => {
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeStyle('red')).toEqual('red');
expect(ɵɵsanitizeStyle(new Wrap('red'))).toEqual('red');
refactor: disable sanitization for [style] and [style.prop] bindings (#35621) This patch is the first of many commits to disable sanitization for [stlye.prop] and [style] bindings in Angular. Historically, style-based sanitization has only been required for old IE browsers (IE6 and IE7). Since Angular does not support these old browsers at all, there is no reason for the framework to support style-based sanitization. PR Close #35621
2020-02-21 14:11:00 -08:00
expect(ɵɵsanitizeStyle('url("http://server")')).toEqual('url("http://server")');
expect(ɵɵsanitizeStyle(new Wrap('url("http://server")'))).toEqual('url("http://server")');
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
expect(() => ɵɵsanitizeStyle(bypassSanitizationTrustHtml('url("http://server")')))
.toThrowError(/Required a safe Style, got a HTML/);
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeStyle(bypassSanitizationTrustStyle('url("http://server")')))
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
.toEqual('url("http://server")');
});
it('should sanitize script', () => {
const ERROR = 'unsafe value used in a script context';
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(() => ɵɵsanitizeScript('true')).toThrowError(ERROR);
expect(() => ɵɵsanitizeScript('true')).toThrowError(ERROR);
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
expect(() => ɵɵsanitizeScript(bypassSanitizationTrustHtml('true')))
.toThrowError(/Required a safe Script, got a HTML/);
fix(core): convert legacy-sanitized values to Trusted Types (#39218) Use the bypass-specific Trusted Types policy for automatically upgrade any values from custom sanitizers or the bypassSecurityTrust functions to a Trusted Type. Update tests to reflect the new behavior. PR Close #39218
2020-10-10 02:16:12 +00:00
expect(ɵɵsanitizeScript(bypassSanitizationTrustScript('true')).toString()).toEqual('true');
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
});
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
it('should select correct sanitizer for URL props', () => {
// making sure security schema we have on compiler side is in sync with the `getUrlSanitizer`
// runtime function definition
const schema = SECURITY_SCHEMA();
const contextsByProp: Map<string, Set<number>> = new Map();
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
const sanitizerNameByContext: Map<number, Function> = new Map([
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
[SecurityContext.URL, ɵɵsanitizeUrl], [SecurityContext.RESOURCE_URL, ɵɵsanitizeResourceUrl]
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
]);
Object.keys(schema).forEach(key => {
const context = schema[key];
if (context === SecurityContext.URL || SecurityContext.RESOURCE_URL) {
const [tag, prop] = key.split('|');
const contexts = contextsByProp.get(prop) || new Set<number>();
contexts.add(context);
contextsByProp.set(prop, contexts);
// check only in case a prop can be a part of both URL contexts
if (contexts.size === 2) {
build: reformat repo to new clang@1.4.0 (#36613) PR Close #36613
2020-04-13 16:40:21 -07:00
expect(getUrlSanitizer(tag, prop)).toEqual(sanitizerNameByContext.get(context)!);
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
}
}
});
});
it('should sanitize resourceUrls via sanitizeUrlOrResourceUrl', () => {
docs: update links to use HTTPS as protocol (#39718) PR Close #39718
2020-11-16 22:37:09 +01:00
const ERROR = 'unsafe value used in a resource URL context (see https://g.co/ng/security#xss)';
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(() => ɵɵsanitizeUrlOrResourceUrl('http://server', 'iframe', 'src')).toThrowError(ERROR);
expect(() => ɵɵsanitizeUrlOrResourceUrl('javascript:true', 'iframe', 'src'))
.toThrowError(ERROR);
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
expect(
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
() => ɵɵsanitizeUrlOrResourceUrl(
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
bypassSanitizationTrustHtml('javascript:true'), 'iframe', 'src'))
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
.toThrowError(/Required a safe ResourceURL, got a HTML/);
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrlOrResourceUrl(
fix(core): convert legacy-sanitized values to Trusted Types (#39218) Use the bypass-specific Trusted Types policy for automatically upgrade any values from custom sanitizers or the bypassSecurityTrust functions to a Trusted Type. Update tests to reflect the new behavior. PR Close #39218
2020-10-10 02:16:12 +00:00
bypassSanitizationTrustResourceUrl('javascript:true'), 'iframe', 'src')
.toString())
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
.toEqual('javascript:true');
});
it('should sanitize urls via sanitizeUrlOrResourceUrl', () => {
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrlOrResourceUrl('http://server', 'a', 'href')).toEqual('http://server');
expect(ɵɵsanitizeUrlOrResourceUrl(new Wrap('http://server'), 'a', 'href'))
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
.toEqual('http://server');
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrlOrResourceUrl('javascript:true', 'a', 'href'))
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
.toEqual('unsafe:javascript:true');
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrlOrResourceUrl(new Wrap('javascript:true'), 'a', 'href'))
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
.toEqual('unsafe:javascript:true');
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
expect(
() =>
ɵɵsanitizeUrlOrResourceUrl(bypassSanitizationTrustHtml('javascript:true'), 'a', 'href'))
.toThrowError(/Required a safe URL, got a HTML/);
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
expect(ɵɵsanitizeUrlOrResourceUrl(bypassSanitizationTrustUrl('javascript:true'), 'a', 'href'))
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
.toEqual('javascript:true');
});
refactor(core): express trusted constants with tagged template literals (#40082) The trustConstantHtml and trustConstantResourceUrl functions are only meant to be passed constant strings extracted from Angular application templates, as passing other strings or variables could introduce XSS vulnerabilities. To better protect these APIs, turn them into template tags. This makes it possible to assert that the associated template literals do not contain any interpolation, and thus must be constant. Also add tests for the change to prevent regression. PR Close #40082
2020-11-30 16:49:39 +00:00
it('should only trust constant strings from template literal tags without interpolation', () => {
expect(ɵɵtrustConstantHtml`<h1>good</h1>`.toString()).toEqual('<h1>good</h1>');
expect(ɵɵtrustConstantResourceUrl`http://good.com`.toString()).toEqual('http://good.com');
expect(() => (ɵɵtrustConstantHtml as any) `<h1>${'evil'}</h1>`)
.toThrowError(/Unexpected interpolation in trusted HTML constant/);
expect(() => (ɵɵtrustConstantResourceUrl as any) `http://${'evil'}.com`)
.toThrowError(/Unexpected interpolation in trusted URL constant/);
});
feat(ivy): bridge compile instructions to include sanitization helpers (#24938) PR Close #24938
2018-07-11 10:58:18 -07:00
});
Reference in New Issue Copy Permalink